1. Home
  2. Vulnerabilities
  3. CVE-2025-26399
Known Exploited Vulnerability
9.8
CRITICAL CVSS 3.1
CVE-2025-26399
SolarWinds Web Help Desk Deserialization of Untrusted Data Vulnerability - [Actively Exploited]
Overview
Description

SolarWinds Web Help Desk was found to be susceptible to an unauthenticated AjaxProxy deserialization remote code execution vulnerability that, if exploited, would allow an attacker to run commands on the host machine. This vulnerability is a patch bypass of CVE-2024-28988, which in turn is a patch bypass of CVE-2024-28986.

Details
INFO

Published Date :

Sept. 23, 2025, 5:15 a.m.

Last Modified :

March 10, 2026, 1:11 p.m.

Remotely Exploit :

Yes !

Source :

[email protected]
CISA Notification
CISA KEV (Known Exploited Vulnerabilities)

For the benefit of the cybersecurity community and network defenders—and to help every organization better manage vulnerabilities and keep pace with threat activity—CISA maintains the authoritative source of vulnerabilities that have been exploited in the wild.

Description :

SolarWinds Web Help Desk contain a deserialization of untrusted data vulnerability in AjaxProxy that could allow an attacker to run commands on the host machine.

Required Action :

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Known Ransomware Campaign Use:

Unknown

Notes :

https://www.solarwinds.com/trust-center/security-advisories/cve-2025-26399 ; https://documentation.solarwinds.com/en/success_center/whd/content/release_notes/whd_12-8-7-hotfix-1_release_notes.htm ; https://nvd.nist.gov/vuln/detail/CVE-2025-26399

Impact
Affected Products

The following products are affected by CVE-2025-26399 vulnerability. Even if cvefeed.io is aware of the exact versions of the products that are affected, the information is not represented in the table below.

ID Vendor Product Action
1 Solarwinds web_help_desk
: Total Affected Vendor : 1 | Products : 1
Scoring
CVSS Scores
The Common Vulnerability Scoring System is a standardized framework for assessing the severity of vulnerabilities in software and systems. We collect and displays CVSS scores from various sources for each CVE.
Score Version Severity Vector Exploitability Score Impact Score Source
CVSS 3.1 CRITICAL 49f11609-934d-4621-84e6-e02e032104d6
CVSS 3.1 CRITICAL [email protected]
CVSS 3.1 CRITICAL [email protected]
Solution
Update SolarWinds Web Help Desk to patch deserialization RCE.
  • Update SolarWinds Web Help Desk to the latest version.
  • Apply any available security patches from SolarWinds.
  • Monitor systems for signs of compromise.
  • Restrict access to vulnerable systems.
Public PoC/Exploit Available at Github

CVE-2025-26399 has a 7 public PoC/Exploit available at Github. Go to the Public Exploits tab to see the list.

References
References to Advisories, Solutions, and Tools

Here, you will find a curated list of external links that provide in-depth information, practical solutions, and valuable tools related to CVE-2025-26399.

URL Resource
https://documentation.solarwinds.com/en/success_center/whd/content/release_notes/whd_12-8-7-hotfix-1_release_notes.htm Release Notes
https://www.solarwinds.com/trust-center/security-advisories/CVE-2025-26399 Patch Vendor Advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-26399 US Government Resource
https://www.microsoft.com/en-us/security/blog/2026/02/06/active-exploitation-solarwinds-web-help-desk/ Third Party Advisory
CWE - Common Weakness Enumeration

While CVE identifies specific instances of vulnerabilities, CWE categorizes the common flaws or weaknesses that can lead to vulnerabilities. CVE-2025-26399 is associated with the following CWEs:

Common Attack Pattern Enumeration and Classification (CAPEC)

Common Attack Pattern Enumeration and Classification (CAPEC) stores attack patterns, which are descriptions of the common attributes and approaches employed by adversaries to exploit the CVE-2025-26399 weaknesses.

We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).

Profile Photo
Nathan9745354/OpenClaw-Free-Security-Threat-Intel

This is using OpenClaw Automated weekly IT security reports, summaries, and PDFs published to GitHub Pages.

HTML

Updated: 1 week, 3 days ago
0 stars 0 fork 0 watcher
Born at : March 13, 2026, 3:03 a.m. This repo has been linked 5 different CVEs too.
Profile Photo
lucacapacci/PoC-in-GitHub

Mirror of https://github.com/nomi-sec/PoC-in-GitHub

Updated: 1 month, 3 weeks ago
0 stars 0 fork 0 watcher
Born at : Feb. 7, 2026, 10:02 a.m. This repo has been linked 789 different CVEs too.
Profile Photo
h4xnz/CVE-2025-26399-Exploit

None

Updated: 6 months ago
1 stars 0 fork 0 watcher
Born at : Sept. 23, 2025, 4:35 p.m. This repo has been linked 3 different CVEs too.
Profile Photo
rxerium/CVE-2025-26399

Detection for CVE-2025-26399

critical nuclei solarwinds vulnerability

Updated: 5 months, 2 weeks ago
2 stars 1 fork 1 watcher
Born at : Sept. 23, 2025, 11:34 a.m. This repo has been linked 1 different CVEs too.
Profile Photo
PuddinCat/GithubRepoSpider

监控Github最新网络安全相关的仓库...

cve cybersecurity github spider

Shell Python Nix

Updated: 6 months, 1 week ago
26 stars 5 fork 5 watcher
Born at : May 9, 2025, 2:29 p.m. This repo has been linked 36 different CVEs too.
Profile Photo
rxerium/stars

A list of all of my starred repos, automated using Github Actions 🌟

github-actions stars

Updated: 1 month ago
0 stars 0 fork 0 watcher
Born at : Jan. 4, 2023, 11:20 a.m. This repo has been linked 39 different CVEs too.
Profile Photo
nomi-sec/PoC-in-GitHub

📡 PoC auto collect from GitHub. ⚠️ Be careful Malware.

security cve exploit poc vulnerability

Updated: 1 week, 3 days ago
7589 stars 1242 fork 1242 watcher
Born at : Dec. 8, 2019, 1:03 p.m. This repo has been linked 778 different CVEs too.

Results are limited to the first 15 repositories due to potential performance issues.

The following list is the news that have been mention CVE-2025-26399 vulnerability anywhere in the article.

  • Daily CyberSecurity
Weekly Threat Intelligence Briefing: Chrome Zero-Days, SolarWinds RCE, and a Surge in Critical PoCs

The Executive Summary Over the past seven days, our CVE Watchtower intercepted 1,388 new vulnerabilities, highlighting a relentless week in the cybersecurity landscape. While the sheer volume is high, ... Read more

Published Date: Mar 16, 2026 (2 weeks, 2 days ago)
  • CybersecurityNews
SolarWinds Web Help Desk Deserialization Vulnerability Enables Command Execution

SolarWinds Web Help Desk Deserialization Vulnerability Cybersecurity authorities have flagged a severe security flaw in SolarWinds Web Help Desk that requires immediate attention from system administr ... Read more

Published Date: Mar 12, 2026 (2 weeks, 5 days ago)
  • Daily CyberSecurity
Critical RCE Vulnerabilities Uncovered in Janitza and Weidmueller Energy Meters

Energy management systems are under the microscope following a security advisory from CERT@VDE, which reveals multiple critical vulnerabilities in Janitza and Weidmueller devices. These flaws, if expl ... Read more

Published Date: Mar 11, 2026 (3 weeks ago)
  • Daily CyberSecurity
The ‘Must-Patch’ List: CISA Adds Actively Exploited SolarWinds, Ivanti, and Omnissa Flaws to KEV

The Cybersecurity and Infrastructure Security Agency (CISA) has expanded its Known Exploited Vulnerabilities (KEV) Catalog, adding three high-stakes flaws that are currently being leveraged by malicio ... Read more

Published Date: Mar 10, 2026 (3 weeks ago)
  • The Hacker News
CISA Flags SolarWinds, Ivanti, and Workspace One Vulnerabilities as Actively Exploited

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added three security flaws to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation. Th ... Read more

Published Date: Mar 10, 2026 (3 weeks, 1 day ago)
  • TheCyberThrone
CISA KEV Catalog Update – March 9 2026

March 10, 2026CISA has added three new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog today, based on evidence of active exploitationCVE-2026-1603 — Ivanti Endpoint Manager (EPM) ... Read more

Published Date: Mar 10, 2026 (3 weeks, 1 day ago)
  • Huntress
A Threat Actor Abuses Another Free Trial

TL; DR Huntress discovered a threat actor was exploiting vulnerabilities (like SolarWinds Web Help Desk) and exfiltrating victim data to a free trial instance of Elastic Cloud SIEM. The actor used the ... Read more

Published Date: Mar 06, 2026 (3 weeks, 4 days ago)
  • europa.eu
Cyber Brief 26-03 - February 2026

Cyber Brief (February 2026)March 2, 2026 – Version: 1TLP:CLEARExecutive summaryWe analysed 303 open source reports for this Cyber Security Brief1.Relating to cyber policy and law enforcement, the Euro ... Read more

Published Date: Mar 02, 2026 (4 weeks, 1 day ago)
  • Huntress
Hiding in Plain Sight with App Domain Manager Injection

A little-known feature of the .NET framework allows attackers to execute malicious code inside trusted, Microsoft-signed applications without exploiting a software flaw or dropping a standalone payloa ... Read more

Published Date: Feb 19, 2026 (1 month, 1 week ago)
  • The Hacker News
Researchers Observe In-the-Wild Exploitation of BeyondTrust CVSS 9.9 Vulnerability

Threat actors have started to exploit a recently disclosed critical security flaw impacting BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA) products, according to watchTowr. "Overni ... Read more

Published Date: Feb 13, 2026 (1 month, 2 weeks ago)
  • Help Net Security
Unpatched SolarWinds WHD instances under active attack

Internet‑exposed and vulnerable SolarWinds Web Help Desk (WHD) instances are under attack by threat actors looking to gain an initial foothold into target organizations’ networks, Microsoft and Huntre ... Read more

Published Date: Feb 10, 2026 (1 month, 3 weeks ago)
  • Daily CyberSecurity
Virtual Invasion: SolarWinds WHD Exploited to Host Hidden QEMU VMs

Image: Microsoft In a striking display of “living off the land” gone wrong, threat actors are turning legitimate administrative tools into stealthy backdoors. The Microsoft Defender Research Team has ... Read more

Published Date: Feb 10, 2026 (1 month, 3 weeks ago)
  • The Register
Someone's attacking SolarWinds WHD to steal high‑privilege credentials - but we don't know who or how

Digital intruders exploited buggy SolarWinds Web Help Desk (WHD) instances in December to break into victims' IT environments, move laterally, and steal high-privilege credentials, according to Micros ... Read more

Published Date: Feb 09, 2026 (1 month, 3 weeks ago)
  • security.nl
Microsoft meldt aanvallen op SolarWinds Help Desk-installaties

Aanvallers hebben in december aanvallen uitgevoerd tegen SolarWinds Help Desk-installaties, zo meldt Microsoft. Welke kwetsbaarheden de aanvallers daarbij gebruikten is volgens het techbedrijf onduide ... Read more

Published Date: Feb 09, 2026 (1 month, 3 weeks ago)
  • The Hacker News
SolarWinds Web Help Desk Exploited for RCE in Multi-Stage Attacks on Exposed Servers

Microsoft has revealed that it observed a multi‑stage intrusion that involved the threat actors exploiting internet‑exposed SolarWinds Web Help Desk (WHD) instances to obtain initial access and move l ... Read more

Published Date: Feb 09, 2026 (1 month, 3 weeks ago)
  • CybersecurityNews
Hackers Actively Exploiting SolarWinds Web Help Desk RCE Vulnerability to Deploy Custom Tools

SolarWinds Vulnerability Actively Exploited Active exploitation of a remote code execution (RCE) vulnerability in SolarWinds Web Help Desk (WHD) is accelerating, with attackers rapidly weaponizing com ... Read more

Published Date: Feb 09, 2026 (1 month, 3 weeks ago)
  • Huntress
Active Exploitation of SolarWinds Web Help Desk (CVE-2025-26399)

Acknowledgments: Special thanks to Dipo Rodipe, Dray Agha, and Lindon Wass for their contributions to this investigation and write-up. TL;DR: Huntress has observed threat actors exploiting SolarWinds ... Read more

Published Date: Feb 08, 2026 (1 month, 3 weeks ago)
  • The Hacker News
SolarWinds Fixes Four Critical Web Help Desk Flaws With Unauthenticated RCE and Auth Bypass

SolarWinds has released security updates to address multiple security vulnerabilities impacting SolarWinds Web Help Desk, including four critical vulnerabilities that could result in authentication by ... Read more

Published Date: Jan 29, 2026 (2 months ago)
  • CybersecurityNews
Critical Solarwinds Web Vulnerability Allows Remote Code Execution and Security Bypass

Multiple critical vulnerabilities in SolarWinds Web Help Desk (WHD), culminating in unauthenticated remote code execution (RCE) via Java deserialization in CVE-2025-40551, were uncovered by Horizon3.a ... Read more

Published Date: Jan 29, 2026 (2 months ago)
  • BleepingComputer
SolarWinds warns of critical Web Help Desk RCE, auth bypass flaws

SolarWinds has released security updates to patch critical authentication bypass and remote command execution vulnerabilities in its Web Help Desk IT help desk software. The authentication bypass secu ... Read more

Published Date: Jan 28, 2026 (2 months ago)

Results are limited to the first 20 news articles due to potential performance issues.

The following table lists the changes that have been made to the CVE-2025-26399 vulnerability over time.

Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.

  • Modified Analysis by [email protected]

    Mar. 10, 2026

    Action Type Old Value New Value
    Added CVSS V3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    Added CWE CWE-502
    Added Reference Type CISA-ADP: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-26399 Types: US Government Resource
    Added Reference Type CISA-ADP: https://www.microsoft.com/en-us/security/blog/2026/02/06/active-exploitation-solarwinds-web-help-desk/ Types: Third Party Advisory
  • CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0

    Mar. 09, 2026

    Action Type Old Value New Value
    Added Reference https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-26399
    Added Reference https://www.microsoft.com/en-us/security/blog/2026/02/06/active-exploitation-solarwinds-web-help-desk/
  • Initial Analysis by [email protected]

    Nov. 14, 2025

    Action Type Old Value New Value
    Added CPE Configuration OR *cpe:2.3:a:solarwinds:web_help_desk:*:*:*:*:*:*:*:* versions up to (including) 12.8.6 *cpe:2.3:a:solarwinds:web_help_desk:12.8.7:-:*:*:*:*:*:*
    Added Reference Type SolarWinds: https://documentation.solarwinds.com/en/success_center/whd/content/release_notes/whd_12-8-7-hotfix-1_release_notes.htm Types: Release Notes
    Added Reference Type SolarWinds: https://www.solarwinds.com/trust-center/security-advisories/CVE-2025-26399 Types: Patch, Vendor Advisory
  • New CVE Received by [email protected]

    Sep. 23, 2025

    Action Type Old Value New Value
    Added Description SolarWinds Web Help Desk was found to be susceptible to an unauthenticated AjaxProxy deserialization remote code execution vulnerability that, if exploited, would allow an attacker to run commands on the host machine. This vulnerability is a patch bypass of CVE-2024-28988, which in turn is a patch bypass of CVE-2024-28986.
    Added CVSS V3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    Added CWE CWE-502
    Added Reference https://documentation.solarwinds.com/en/success_center/whd/content/release_notes/whd_12-8-7-hotfix-1_release_notes.htm
    Added Reference https://www.solarwinds.com/trust-center/security-advisories/CVE-2025-26399
EPSS is a daily estimate of the probability of exploitation activity being observed over the next 30 days. Following chart shows the EPSS score history of the vulnerability.
CVSS
Vulnerability Scoring Details
Base CVSS Score: 9.8
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact